Listing of Claims 



This listing of claims 1-6 will replace all prior versions, and listing of claims in the 
application. 

1 . (Currently Amended) A method for detecting malicious scripts 
using a static analysis, comprising the step of: 

checking a script to determine whether a series of methods constructing a 
malicious code pattern exist and whether parameters and return values associated 
between the methods match each other, 

wherein the checking step comprises the steps of: 

a) _classifying, by modeling a malicious behavior to include unit behaviors 
each of which is composed of sub-unit behaviors or one or more method calls, 

b) generating a matching rule by converting each identified unit 
behavior and method call sentence into said a-matching rule for defining sentence types 
to be detected in script codes , said matching rule comprising rule identifiers and sentence 
patterns to be detected and 

c) _generating at least one relation rule for defining a relation 
between rule variables used in the sentences satisfying the matching rule; 

d) identifying generating instances of the matching rule by: 

i) searching for code patterns matched with the matching 
rule from a relevant script code to be detected, 

ii) extracting parameters of functions used in the searched 

code patterns; and 

iiijLstoring the extracted parameters in the rule variables; and 

e) identifying generating instances of the relation rule by searching for 
instances of the matching rule satisfying the relation relations rule from the a -set of the 
generated instances of the matching rule. 
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2. (Currently Amended) The method according to claim 1, wherein the 
matching rule is compos e d of rul e identifiers and sentence patterns constructing 
malicious behavior and having have the same grammar as a language of the scripts to be 
detected , and wh e r e in the r e lation rule comprises conditional e xpr e ssions (Cond) in 
which conditions satisfying the relevant rul e are described, and action expr e ssions 
(Action) in which cont e nts to b e e x e cut e d ar e described wh e n the conditions in the 
conditional expr e ssions ar e satisfied . 

3. (Original) The method according to claim 2, wherein the relation rule further 
includes preconditions (Precond) in which conditions that should be satisfied prior to the 
conditions in the conditional expressions are described, and the action expressions 
describe contents that will be executed when both the conditional expressions and the 
preconditions are satisfied. 

4. (New) The method according to claim 1, further comprising the step of 
converting the script into a format suitable for static analysis. 

5. (New) The method according to claim 1, further comprising the step of 
reporting identified instances of the matching rule and relation rule in a result report 
process. 

6. (New) The method according to claim 1, wherein the relation rule comprises 
conditional expressions (Cond) in which conditions satisfying the relevant rule are 
described, and action expressions (Action) in which contents to be executed are described 
when the conditions in the conditional expressions are satisfied. 
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